Pages

What's Hot

Wednesday, March 9, 2011

Best Practice RCSA Framework

For a long time, the activity of Control Self-Assessment has been a recognizedindustry wide approach that is used by both operational risk and audit departments to assess whether a specific business function is operating its controls effectively. The program is supposed to identify whether any control breaches have occurred during a reporting period and how congruent each control is within the network of controls.

In this blog we are going to highlight the key points for making a Risk Control Self-Assessment program a success and a presentation has been included here which outlines a best practice Risk Control Self-Assessment (RCSA) method.

Most organisations accept that the guard dog between a driver or hazard for operational risk and its associated unwanted outcome, is the control network. It follows of course that most organisations put activities in place for assessing these controls.Five key factors that should feature in any Risk Control Self Assessment Program would include:

[1] The RCSA process needs to follow formalised discrete phases which evolve the entire program across the organisation. The first phase involves setting ground rules and building the control questionnaires, these control questionnaires are then linked to the enterprise taxonomical structure of the business. RCSA programs generally fail if this activity is not engaged in a transparent and comprehensive manner.

[2] The RCSA control capture activity also needs to typecast controls and assign controls to specific risk categories. This will allow for benchmarking to occur at a later date once control effectiveness data is captured. Control typecasting also allows RCSA programs to be integrated with other operational risk framework elements such as loss event data.

[3] RCSA data points need to be stored in a repository of some kind so that reports can be easily generated overtime.

[4] Self-Assessment Questions need to be taxonomy compatible, have accuracy ratings and be workable in a standardised manner across the enterprise.

[5] The RCSA program itself must be sensitive to human or behavioural disorders including; Darley’s Law, Myopia, Herd Mentality and Subjectivity.

DARLEY'S LAWDarley's law translates to the way people perceive rewards and punishments. In one example and in the context of RCSA, I remember clearly when a department marked all of its controls as failing in the first month of assessment, only to claim these controls were corrected in subsequent months. The game played by management here was to use this fictitious control improvement angle as a reason to justify bonuses for the entire department.

MYOPIAMyopia is all to do with framing. If a control assessment question is negative, it will have a different response from people with highly conservative fear factors than risk takers. Posing the same question in a positive manner may result in a different assessment response for the same condition but nothing has changed.Organisations are full of “the glass is half empty kind of people” at one end of the scale and optimists at the other end. These differing groups of people will respond to negatively and positively framed questions in alternate ways.

HERD MENTALITYHerd Mentality is the most annoying issue with RCSA programs. Staff in departments tend to collude with each other when completing their RCSA questionnaires and it isn't uncommon to hear teams ask each other “what did you put as an answer for question x”. They do this in an effort to fit in with the perceived norm and a benchmark that they believe the organisation expects. This herd mentality of course creates erroneous responses and counteracting the behaviour is specifically difficult.

The presentation attached to this posting discusses these unique elements of RCSA and the hurdles as well. It shows how Discriminant Analysis can be used to create failure ratios and how weighting controls may improve the accuracy of a control self-assessment program.

Marti, mate. Stumbled across your blog by accident. Good to see you are still very active in the risk community. I've returned to the UK and are currently working on a RCSA program at JPMorgan Chase. All the best Richard de K

Author

Martin Davies is a risk framework architect with strong domain knowledge across a diverse set of risk fraternities, a background in banking front-to-back and the ability to articulate business requirements into functional information technology concepts. He is focused on structured products for emerging markets and works with several tier one banks, regulators and brokerages across South East Asia.